Problem solve Get help with specific problems with your technologies, process and projects.

Can you trust Active Directory's trust relationships?

Windows 2000 and Windows Server 2003 differ in how they handle trust relationships between separate forests.

One of the larger improvements in Active Directory over its predecessor NT4 is the way in which AD manages trust...

relationships in a multi-domain environment.

In Windows 2000 and Windows Server 2003 Active Directory, you have certain trust relationships that are enabled by default and created automatically: a two-way transitive trust relationship between a parent domain and all child domains that are created beneath it, and a two-way transitive trust between the root domains of multiple domain trees within a single forest. A two-way trust relationship means that users in Domain A can access resources in Domain B using the same trust relationship that allows users in Domain B to access resources in Domain A. This greatly simplifies matters compared to NT4, where you needed to create and manage a separate trust relationship (a one-way trust) in each direction if you needed to configure access on both sides of the trust. A transitive trust relationship means that if Domain A trusts Domain B and Domain B trusts Domain C, then an implicit trust relationship exists automatically between Domain A and Domain C; there's no need to create a third trust relationship manually. So if an Active Directory domain has numerous child domains, all of those child domains will have implicit trust relationships with each other by virtue of the fact that they each have a trust relationship with that single parent domain. Likewise, in a forest containing multiple domain trees, all child domains in each domain tree will be able to access resources in other trees because of the transitive nature of the trust that exists by default between the root domains of each domain tree.

Windows 2000 and Windows Server 2003 differ, however, in how they handle trust relationships between separate forests. The only type of trust relationship that you can create between two Windows 2000 forests is a one-way non-transitive trust between a single domain in Forest A and a single domain in Forest B. As you might imagine, this is the total opposite of the default trust relationships established between domains in a single forest. A non-transitive trust means that only the two domains that are explicitly defined in the trust relationship will be able to access one another's resources; if you need to access resources in other domains across the forest boundary, you'll need to set up additional trust relationships to accommodate this. And a one-way trust means that access will only flow in a single direction: if Domain B is trusted by Domain A, then users in Domain B will be able to access resources in Domain A, but the reverse will not apply – users in Domain A will not be able to get to resources in Domain B without creating a one-way trust in the opposite direction (where Domain A is trusted by Domain B).

Windows Server 2003 improves on this quite a bit by introducing the cross-forest trust. This advanced feature of Active Directory is only available if both forests are at the Windows Server 2003 forest functional level, which means that all domain controllers in all domains in both forests are running Windows Server 2003 and you've manually changed to the new forest functional level. Cross-forest trusts are transitive, which means that every domain in Forest A will have an implicit trust relationship with every domain in Forest B. What transitivity does not mean for cross-forest trusts (and this often causes confusion) is this: if you have a cross-forest trust between Forest A and Forest B, and a second cross-forest trust between Forest B and Forest C, a trust relationship does not exist between Forest A and Forest C. You'd need to create a second cross-forest trust between Forest A and Forest C to allow this to happen. Cross-forest trusts can be either one-way or two-way, and you'll establish the trust relationship between the forest root domain in each forest.

Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.